Doubts about active or disabled rules

Douglas_Ribeiro · October 14, 2020, 11:10am

Hello friends, I need to clear a doubt with you.
I have the meerkat running here and I do some local tests to see if it activates any alerts and is activating.
It has been running for about a week and has just picked up two ZMAP scanner alerts. I would like to know how I can see if the rules are all active, or how many are active, to see if everything is all right or if there are only a few that are active.

Jeff_Lucovsky · October 14, 2020, 11:43am

Hi,

There are a couple of ways that you can view information about the rules that Suricata has loaded

Suricata displays rule related values when it (a) starts and (b) after a reloading rules.
Use the suricatasc command

Example output for (1)

14/10/2020 -- 07:39:13 - <Info> - 1 rule files processed. 19188 rules successfully loaded, 0 rules failed
14/10/2020 -- 07:39:13 - <Info> - Threshold config parsed: 0 rule(s) found
14/10/2020 -- 07:39:14 - <Info> - 19191 signatures processed. 1094 are IP-only rules, 3860 are inspecting packet payload, 14180 inspect application layer, 0 are decoder event only

Example for (2)

# suricatasc -c ruleset-stats /usr/local/var/run/suricata/suricata-command.socket
{"message": [{"id": 0, "rules_loaded": 19188, "rules_failed": 0}], "return": "OK"}

Douglas_Ribeiro · October 14, 2020, 2:04pm

I used the command suricatasc and he showed me a list of commands to use, I used the command ruleset-stats and he showed me this:
Success:
[
{
“id”: 0,
“rules_failed”: 0,
“rules_loaded”: 23130
}
]

Is it correct then?

sbhardwaj · October 14, 2020, 2:34pm

Hi @Douglas_Ribeiro!

This seems alright if you want to see the rule stats. Here, you see the number of rules loaded and failed with the Suricata engine. If you want to check active rules, suricata-update would be able to give you the best results.
If you run suricata-update, you’ll see a line like
14/10/2020 -- 19:49:09 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 28335; enabled: 21311; added: 172; removed 3; modified: 7114

Active rules: 21311 in the file /var/lib/suricata/rules/suricata.rules.

(Added, removed etc are because it is the rule manager and keeps on updating the rules as per flowbit dependencies and/or changes from the rule source)

This also gives you the file name where your rules are stored, so you can check that file out for all the rules. (The ones starting with # are disabled, rest are enabled)

We are working on generating a report of any changes made to the rules so its easy to check if something was changed among the existing rules: https://github.com/OISF/suricata-update/pull/246

Topic		Replies	Views
Cannot load my own rule Rules suricata	2	360	October 15, 2022
Is there a way to periodically check if the latest ruleset is used Rules	0	280	February 23, 2021
Suricata is not running after 260k loaded rules Help suricata	6	347	January 18, 2023
How to get list of all enabled Suricata rules?	3	2478	November 7, 2022
Suricata-update adds commented/disabled rules to the suricata.rules Rules	8	2823	January 5, 2021

Doubts about active or disabled rules

Related Topics